Posted on January 15, 2021 at 8:08 AM
The US Cybersecurity and Infrastructure Security Agency (CISA) has revealed that threat actors are getting around multi-factor authentication (MFA) protocols to compromise cloud service accounts.
CISA revealed in a report that there have been several successful attacks on the cloud services of organizations. The hackers are making use of phishing and other forms of attacking tools to take advantage of vulnerability and security lapses within the victim’s cloud services protocol.
The report also noted that the threat actors utilized several techniques and tactics such as brute force login attempts and phishing attacks to exploit weaknesses in the cloud service of the target organization.
Weak cyber hygiene practices
According to the CISA, these types of attacks usually occur when the employees of the victim organizations work remotely and make use of a mixture of personal devices and corporate laptops to access their cloud services. Although these organizations make use of security tools, the threat actors gain access to their cloud services due to weak cyber hygiene practices.
As a response to the challenges faced by organizations, the CISA has released an Analysis Report on improving security configurations to provide stronger protections against cyber attacks. The report offers advice and guidelines for companies to help them detect and respond to potential attacks. The report also provided mitigation procedures to help strengthen organizations’ cloud environment configuration.
MFA doesn’t completely stop phishing attacks
It should be pointed out that even though multi-factor authentication is an excellent security protocol that offers added security, it doesn’t mean it will be impossible for a serious and sophisticated hacker to succeed.
For example, in 2018, crypto exchange Binance stopped all withdrawals after noticing some abnormal trading activities on its platform.
Binance later discovered that a hacker has launched a phishing attack that redirects users to a fake site purporting to be Binance. The site asked the users to enter their multi-factor authentication codes and passwords. Since the MFA code can stay valid for a minute, the attacker can use them to gain a trading API key for the main Binance site.
Yes, some hackers can still bypass MFA through technical and social engineering attacks, it’s still one of the most secure forms of protecting accounts. So, users have been advised to still use MFA to protect their accounts.
As Microsoft has pointed out, “your account is more than 99.9% less likely to be compromised if you use MFA.”
Indeed, the bulk of the responsibility to protect accounts is on users. They should make sure their MFA codes are entered on genuine sites, and not fake ones designed by the hackers to trick them.
After attackers have been able to access the cloud-based service of the organization, they can have several plans. With such access, they would be able to gain information about the organization, set up mail forwarding rules, attack the systems of other partners and employees, and exfiltrate data.
CISA said there are more failures than successes when it comes to brute force attacks using a username and password combinations because many organizations are now enabling MFA. In one of the successful hacking incidents, the CISA said the hackers may have utilized browser cookies to bypass MFA with a “pass-the-cookie” attack.
Such type of attack usually seizes an authenticated session with stolen cookies to gain online access or web applications.
In another successful attack, the CISA revealed that the hackers collected sensitive information by using email forwarding rules on users who want to forward work emails to their personal email accounts.
The agency also discovered that threat actors are creating new mailbox rules that can forward some messages received by the user, especially messages containing some phishing-linked keywords.
Preventing attacks through a phishing awareness campaign
Technical director at Vectra Tim Wade said most cyberattacks will be prevented if organizations improve employee awareness against phishing attacks and practice good IT security hygiene. He further stated that it is impossible to attain perfection in these areas because of human errors. But, having a massive awareness campaign on cybersecurity and phishing attacks will go a long way to reduce the attacks.
Whether against unknown weaknesses or known IT hygiene weaknesses, organizations will prevent many attacks if they can zero in on an active risk and carry out appropriate prevention action, Wade added.